Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Slack Releases Open Source SDL Tool

After building an SDL tool for their own use, Slack has released it on Github under an open source license.

Security is a matter of friction — applying as much as possible to malign actors and processes, and as little as possible to legitimate users and applications. For software developers, any additional friction can seem too much and lead to teams working around, rather than with, the processes intended to provide built-in security. Slack is a fast-moving company that needs lightning-fast development cycles and secure software. It's a situation that called for a tool they didn't have. So they built one and released it as an open source application for anyone to use.

Slack has a small development team and a seemingly insatiable appetite for new capabilities and features; it's not uncommon for the company to deploy code to production 100 times in a day. "Integrating security into products, with distinct steps and quite a bit of process, didn't align with the way things worked here," says Max Feldman, a member of the product security team at the company.

Feldman says that the development team looked at existing tools, including Microsoft's, but that the tools either added too much overhead or were oriented toward a waterfall development process. "Process can be antithetical to rapid development," says Feldman. His team's challenge was to, he says, "bring best practices into Slack while remaining "Slack-y."

The new tool is intended to help Slack implement a security development lifecycle. The application, dubbed "GoSDL," was described in depth in a recent company blog post. The goal, says Feldman, was to develop rapid and transparent development.

GoSDL is, he says, a fairly simple PHP application that allows any team member to begin the process of interacting with security. "The beginning of the process of a new feature is one where they can check whether they want direct security involvement," Feldman says. If so, the feature is flagged "high risk," not because of any actual risk but to make it high priority for security team action. If the security involvement box isn't checked, it doesn't mean that security steps aside, but their involvement begins with a series of questions about the impact on existing products and features.

Once the security team is involved it begins to put together risk assessments (high, medium, or low) for each component of the feature. The product engineer or manager is responsible for a component survey with additional checklists of potential issues.

All of the checklists and communications to this point are created in the PHP application running on the Slack platform. Once the lists reach the point of requiring action, the application generates a Jira ticket that creates the action item checklist.

"This empowers engineers and developers to evaluate their own security," Feldman says. "We'll be involved and help, but the more they're versed in security, the better we are." And that "better" is embodied in a cultural shift toward security, as well.

"One of the things we tried to do with the blog post and documentation is talk about the culture and how to use it," Feldman says, adding that the "transparency and communication are an integral aspect of this; without them it could still work but it would be much different."

It is important, he says, for security to be seen as a trusted partner in the development process rather than a blocking adversary. "The fostering of mutual trust between development and engineering is a goal. Engagement, getting familiar with people, meeting people as they join," is critical, he says.

"For us the behavioral and cultural aspects are sufficient but we've tried with the blog post to clarify how it might be useful. We want to let teams integrate the tool and make things pleasant for everyone," Feldman explains.

GoSDL is available on Github.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2018 | 11:11:24 PM
"The fostering of mutual trust between development and engineering is a goal"
Collaboration is the ultimate end game. In many cases you can see a direct correlation to optimization.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8071
PUBLISHED: 2019-10-17
Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-10752
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-12611
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
CVE-2019-13657
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
CVE-2019-15626
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.